[Top Dog]

I am trying to require authentication for a specific folder of a website. It is an administration area, so there is no need for multiple users or roles. Either you are the admin or not. I thought I could get it to work using this code in the webconfig:

<authentication mode="Forms">

	  <forms loginUrl="adminlogin.aspx">

		<credentials>

		  <user name="admin" password="admin" />

		</credentials>

	  </forms>

	</authentication>
 </system.Web>
 <location path="admin">
	<system.web>
	  <authorization>
		<deny users="?" />
	  </authorization>
	</system.web>
  </location>

This works well in prohibiting access to anything in the directory "admin" it bounces you back to the login page. Only problem is when you log it with admin,admin, it then redirects to the page it is supposed to, but I get the following error:

"An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)"

I thought maybe it was due to the webpage being access AFTER authentication connecting to the remote database, but I created a "test.aspx" page, putting only some text in the body, and put it in the admin folder. On loging in, it throws the same error.

What database is the login.aspx page trying to access?

[JayFCox]

Top Dog, on 22 May, 2009 - 10:42 AM, said:

<snip />

This works well in prohibiting access to anything in the directory "admin" it bounces you back to the login page. Only problem is when you log it with admin,admin, it then redirects to the page it is supposed to, but I get the following error:

"An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)"

I thought maybe it was due to the webpage being access AFTER authentication connecting to the remote database, but I created a "test.aspx" page, putting only some text in the body, and put it in the admin folder. On loging in, it throws the same error.

What database is the login.aspx page trying to access?

I'm not seeing anything wrong with your authentication code, although I see you do mention it is a remote server, but the server isn't set up for remote connections.

[Gaurav Singla]

Hey, You should try debugging your code. Perhaps the exception is being generated by some sql statement in your code. As i know, this type of exception is generated by sql server when supplying wrong connection string.
Just try to debug your code and figure it out which statement is causing this exception.

[baavgai]

It looks like you've already got a database authentication mechanism running?

If it's only one page, I'd just do something outside ASP.NET's mechanism. I seem to always end up rolling my own, anyhow.

On the page you want protected, put something like this:

protected void Page_Load(object sender, EventArgs e) {
	string userName = (string)Session["CurrentUser"];
	if (userName != "admin") {
		this.Response.Write("<html><p>Sorry, only authorized users can access this content.</p>");
		this.Response.Write("<p>Please <a href=\"Login.aspx\">login</a>.</p>");
		this.Response.End();
	}
}

In your login page as for a username and password. If it passes, place it in the session and redirect back to the calling page.

[woodjom]

Is this a Intranet or Extranet site?

If this is Extranet (internet) then i would suggest having a login page or a login widget placed in your home page and authenticating that way into the admin section. Alot easier than what you are trying to do.

Dont use web.config to catalog the username and passwords for access to areas. I would incorporate at least an access database for this and use access rights to control where they go.